My IPTables Script

TheDanMan

08-11-2005 08:30:20

Am I doing anything stupid?





#!/bin/sh



set -e



PATH="/bin:/sbin:/usr/bin:/usr/sbin"



case "$1" in

        start)

                iptables -F

                iptables -t nat -F



                # Default Deny Policy

                iptables -P INPUT DROP

                iptables -P FORWARD DROP



                # Existing connections

                iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT



                # Localhost is always trusted.

                iptables -A INPUT -i lo -j ACCEPT



                # Allow SSH, WWW, DNS, WEBMIN, POP3, SMTP, IMAP2, HTTPS, FTP, GKRELLM

                iptables -A INPUT -m state --state NEW -p tcp --syn --dport 22 -j ACCEPT

                iptables -A INPUT -m state --state NEW -p tcp --syn --dport 80 -j ACCEPT

                iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT

                iptables -A INPUT -m state --state NEW -p tcp --syn --dport 25 -j ACCEPT

                iptables -A INPUT -m state --state NEW -p tcp --syn --dport 53 -j ACCEPT

                iptables -A INPUT -m state --state NEW -p tcp --syn --dport 10000 -j ACCEPT

                iptables -A INPUT -m state --state NEW -p tcp --syn --dport 110 -j ACCEPT

                iptables -A INPUT -m state --state NEW -p tcp --syn --dport 113 -j ACCEPT

                iptables -A INPUT -m state --state NEW -p tcp --syn --dport 143 -j ACCEPT

                iptables -A INPUT -m state --state NEW -p tcp --syn --dport 443 -j ACCEPT

                iptables -A INPUT -m state --state NEW -p tcp --syn --dport 993 -j ACCEPT

                iptables -A INPUT -m state --state NEW -p tcp --syn --dport 995 -j ACCEPT

                iptables -A INPUT -m state --state NEW -p tcp --syn --dport 10001 -j ACCEPT

                iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

                ;;

        stop)

                iptables -P INPUT ACCEPT

                iptables -P FORWARD ACCEPT

                iptables -F

                ;;

        restart|reload)

                "$0" start

                "$0" stop

                ;;

        *)

                echo "Usage: $0 {start|stop|reload|restart}"

esac

robertngreen

08-11-2005 14:00:36

Doesn't look like you are doing anything dumb. Fairly strait forward and simple. I take it this is a web/mail/server not aciting as a router.

Athough instead of port numbers you can use names. Makes things a little easier to read. (ie http, pop3, imap, etc) You can find the offical names in /etc/services.

TheDanMan

08-11-2005 14:27:46

kewl kewl, thanks. Yeah I realize you can use names. I just prefer to use port numbers because I don't always remember the names ;-D

Oh and yes, it is a web/mail server.

gorshing

08-11-2005 14:35:30

I was curious if anybody has messed with the packet limits with iptables ... I mean with --limit and --limit-burst (I believe those are right).

Has anybody sent up a test network and tried a DDOS/DOS against a machine not using these limits and then again using the limits? I was just curious if it actually helps any.

Colleen

12-11-2005 10:57:02

I do some matching on limit in my scripts, but not for DDOS/DOS mitigation. What is effective against those kinds of attacks depends on the type of attack - SYN cookies can be used vs. SYN floods, there are various things you can do vs. UDP fragged packet floods, etc. However, if you've got a 3Mb Cox pipe and some malicious person is aiming 10Mb of crap traffic at you, you're screwed no matter what's in your iptables script because you can't get far enough upstream to filter the traffic.

- Colleen